Communication over private networks is broken for some customers in the OACI infrastructure.
Traffic captures show ARP response coming from some foreign MAC address that are outside of OACI.
Two different Virtuozzo infrastructures are joined into the same internal network. Virtuozzo 7 nodes have
proxy_arp feature enabled by default, which entails responding to any ARP requests for IPs that are outside of backnet NIC network, but are reachable over other NICs.
The issue is specific to Virtuozzo 7 networking.
As a fast workaround, proxy_arp feature should be disabled on the Virtuozzo 7 nodes that are inside the same network as OACI nodes, but are not registered in OACI:
# sysctl -w net.ipv4.conf.all.proxy_arp=0
Note that disabling
proxy_arp feature breaks host-routed network connectivity for Virtuozzo virtual machines. It will only be possible to use bridged network type for VMs.